Safely rolling out FileMaker Web Direct (FMWD) to remote users

I'm working with a client running on FileMaker Server 14 who is contemplating rolling out FileMaker Web Direct (FMWD) to a remote user base.

The IT department has concerns about opening ports. They are willing to open up port 443, but they have concerns about opening up port 80.

I looked at past threads on community.FileMaker.com and read a number of PDFs white papers on FileMaker Web Direct (FMWD), and have a couple of remaining questions (and some amount of time pressure to do the research).

Can a FileMaker Web Direct (FMWD) be run entirely on port 443?

Is there any quantifiable danger in running FileMaker Web Direct (FMWD) on port 80 and if not is there any available documentation to address the concerns of the IT department?

Is it possible to run FileMaker Web Direct (FMWD) 14 on a 2 machine configuration... so that we could put the FileMaker Web Direct (FMWD) outside of the firewall while keeping the database machine Inside?

In this use case, the FileMaker Web Direct (FMWD) users will be coming from a variety of unpredictable IP addresses. Is there a way of locking down access to the ip address, for example white listing by country ip address?

Please note that we have considered implementing a VPN but that would be problematic since there are so many users.

Finally here is a general question...Is there a way to take the FileMaker Server access logs and pipe them in real time to a shell script that verifies that the account names and/or ip address on the approved list and, if not on the list...disconnects the user with a fmsadmin command.

Whitelisting: not in FM but perhaps upstream before the traffic hits the FMS server?

2-machine deployment: yep, that should work.

live-piping/monitoring: sure, I don't see why not. Would be a heck of job to set up but it could be done. It would be an 'after the fact' kinda thing though. I probably wouldn't use the access log but the output from 'fmsadmin list clients -s'